Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

RFC: Expand checks about requirements to userspace classes #250

Merged
merged 3 commits into from
Jan 8, 2024
Merged

RFC: Expand checks about requirements to userspace classes #250

merged 3 commits into from
Jan 8, 2024

Conversation

cgzones
Copy link
Contributor

@cgzones cgzones commented Sep 20, 2022

Expand the check W-001, W-002 and W-003 to security classes.

Since the system class is used both by the kernel and in userspace by systemd some machinery needs to be added to gather the associated used permission.
This can also be reused to infer the type of identifiers, see #206.

@dburgener
Copy link
Member

Just a quick comment on the RFC nature of this: The high level idea seems really valuable, and like a good addition to SELint. Thanks for putting in the work on this!

Looks like a pretty large chunk of code, so I don't think I'll have time to review it this week, but I'll aim to set aside some time next week.

@cgzones cgzones changed the base branch from master to main December 29, 2023 16:28
@cgzones cgzones mentioned this pull request Dec 29, 2023
Merged
dburgener
dburgener requested changes Jan 5, 2024
View reviewed changes
src/name_list.c Show resolved Hide resolved
src/if_checks.c Outdated Show resolved Hide resolved
src/if_checks.c Outdated Show resolved Hide resolved
src/startup.c Outdated Show resolved Hide resolved
src/startup.c Show resolved Hide resolved
src/maps.c Show resolved Hide resolved
@cgzones
Introduce name_list
895cac9 
For checks checking for missing or redundant required types
`get_names_in_node()` and `get_names_required()` return a list of names.
Currently those are just a list of strings without any type information.
Add a new datatype to store known type information to improve checks
iterating these names.
@cgzones
Expand checks about requirements to userspace classes
77d5fba 
Refpolicy findings:

    unconfined.te:       63: (W): No explicit declaration for userspace class system.  You should access it via interface call or use a require block. (W-001)
    systemd.te:        1170: (W): No explicit declaration for userspace class dbus.  You should access it via interface call or use a require block. (W-001)
    systemd.te:        1282: (W): No explicit declaration for userspace class dbus.  You should access it via interface call or use a require block. (W-001)
    init.te:            261: (W): No explicit declaration for userspace class system.  You should access it via interface call or use a require block. (W-001)
    init.te:            302: (W): No explicit declaration for userspace class service.  You should access it via interface call or use a require block. (W-001)
    init.te:           1094: (W): No explicit declaration for userspace class system.  You should access it via interface call or use a require block. (W-001)
    init.te:           1102: (W): No explicit declaration for userspace class service.  You should access it via interface call or use a require block. (W-001)
    init.te:           1110: (W): No explicit declaration for userspace class service.  You should access it via interface call or use a require block. (W-001)
    init.te:           1114: (W): No explicit declaration for userspace class service.  You should access it via interface call or use a require block. (W-001)
    init.te:           1115: (W): No explicit declaration for userspace class service.  You should access it via interface call or use a require block. (W-001)
    devicekit.te:        56: (W): No explicit declaration for userspace class dbus.  You should access it via interface call or use a require block. (W-001)
    devicekit.te:       157: (W): No explicit declaration for userspace class dbus.  You should access it via interface call or use a require block. (W-001)
    devicekit.te:       297: (W): No explicit declaration for userspace class dbus.  You should access it via interface call or use a require block. (W-001)
    kernel.te:          558: (W): No explicit declaration for userspace class system.  You should access it via interface call or use a require block. (W-001)
    chromium.if:        139: (W): Class dbus is listed in require block but not used in interface (W-003)
    init.if:           1200: (W): Class system is used in interface but not required (W-002)
    init.if:           1218: (W): Class system is used in interface but not required (W-002)
    init.if:           1236: (W): Class system is used in interface but not required (W-002)
    init.if:           1254: (W): Class system is used in interface but not required (W-002)
    init.if:           1272: (W): Class system is used in interface but not required (W-002)
    init.if:           1290: (W): Class system is used in interface but not required (W-002)
    init.if:           1308: (W): Class system is used in interface but not required (W-002)
    init.if:           1326: (W): Class system is used in interface but not required (W-002)
    init.if:           1401: (W): Class bpf is listed in require block but is not a userspace class (W-003)
    systemd.if:         148: (W): Class system is used in interface but not required (W-002)
    systemd.if:         158: (W): Class service is used in interface but not required (W-002)
    systemd.if:         159: (W): Class service is used in interface but not required (W-002)
    systemd.if:         391: (W): Class system is used in interface but not required (W-002)
    systemd.if:         415: (W): Class system is used in interface but not required (W-002)
    systemd.if:         439: (W): Class system is used in interface but not required (W-002)
    unconfined.if:       34: (W): Class service is listed in require block but not used in interface (W-003)
    xserver.if:         353: (W): Class x_property is listed in require block but not used in interface (W-003)
    postgresql.if:       31: (W): Class db_database is listed in require block but not used in interface (W-003)
    postgresql.if:       37: (W): Class db_language is listed in require block but not used in interface (W-003)
    postgresql.if:      465: (W): Class db_database is listed in require block but not used in interface (W-003)
    postgresql.if:      471: (W): Class db_language is listed in require block but not used in interface (W-003)
    Found the following issue counts:
    W-001: 14
    W-002: 14
    W-003: 8
@cgzones
Add ReadMe section about expected conventions
6fbb752 
Add a section to the ReadMe mentioning the policy convention expected,
which are used to improve comprehension of the policy improving accuracy
of checks.
@dburgener dburgener merged commit 954c029 into SELinuxProject:main Jan 8, 2024
3 checks passed
@dburgener
Copy link
Member

This looks good, merged, thanks!

@dburgener dburgener mentioned this pull request Jan 8, 2024
Merged
dburgener added a commit that referenced this pull request Jan 8, 2024
@dburgener
Switch to 1.5 instead of 1.4.1
163ab9f 
Mention #250
@cgzones cgzones deleted the userspace_classes branch January 8, 2024 16:10
@cgzones cgzones mentioned this pull request Jan 9, 2024
Merged
dburgener added a commit that referenced this pull request Jan 9, 2024
@dburgener
Switch to 1.5 instead of 1.4.1
9e1f01e 
Mention #250
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@dburgener dburgener dburgener approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@cgzones @dburgener